A few weeks ago we shipped a free audit scanner for PrestaShop stores — 21 checks
across security, SEO, performance, platform hygiene, and internationalization. Before promoting it, we wanted to know:
where does the average PrestaShop store actually stand?
So we pulled 174 real stores from BuiltWith's public PrestaShop lists across Spain, France, Italy, Southern Europe,
and the global tier. 130 of them responded to the scan (the other 44 blocked bots, had expired certs, or were dev
environments). Here's what we found.
The headline
Median global score: 50 / 100. Only 2 stores out of 130 cleared 75. Thirty-nine percent scored under 45 (the
red zone).
That's not a "few outliers drag the average down" story. That's the whole market.
The dataset isn't small-shop cherry-pick either — it includes stores from Repsol, Auchan, Michelin, Penguin Libros,
Pathé, Kickers, bpifrance, ADEME, Curie, CNES, and the PrestaShop project itself. Enterprise-grade brands. Still
mid-pack.
Methodology
-
Source: BuiltWith Trends public lists (
trends.builtwith.com/websitelist/PrestaShop/...), 5 geographies, top stores by traffic. - Deduped across overlapping country buckets → 174 unique domains.
- Scans ran from Cloudflare Workers, server-side only. No third-party browser instrumentation. Core Web Vitals come from Google's public PageSpeed Insights API (lab + field data when available).
- 21 checks per store: HTTPS, HSTS, CSP, X-Content-Type, X-Frame-Options, Referrer-Policy, PrestaShop detection & version, meta title, meta description, Open Graph, canonical, structured data, hreflang, multilingual, language switcher, sitemap, LCP, CLS, FCP, and presence of a chatbot module.
-
Emails harvested from homepage +
/contactstyle pages via regex (yes, there's a CSV; no, we're not spamming it — the scanner CTA just points tosales@smart-shop-ai.com).
Category breakdown
Median score per category, across all 130 scans:
| Category | Median | What this means |
|---|---|---|
| SEO | 60 | The best-performing area. Titles and canonical tags are handled; structured data is not. |
| PrestaShop hygiene | 53 | Most stores expose their PS version. Some still run 1.7. |
| Security | 48 | HTTPS is universal, but the header stack above TLS is usually absent. |
| Performance | 45 | Mobile PageSpeed median is 48. Over half of stores ship slower than 50. |
| i18n | 0 | Almost nobody declares hreflang or ships a proper multilingual setup, even stores visibly serving multiple countries. |
The top failures (sorted by how common they are)
| Check | Stores failing or warning | % |
|---|---|---|
| Rich Search Results (structured data / JSON-LD) | 128 / 130 | 98.5% |
| Largest Contentful Paint | 124 / 130 | 95.4% |
| First Contentful Paint | 124 / 130 | 95.4% |
| AI shopping assistant present | 105 / 130 | 80.8% |
| Content-Security-Policy | 97 / 130 | 74.6% |
| X-Content-Type-Options | 80 / 130 | 61.5% |
| Open Graph tags | 80 / 130 | 61.5% |
| Meta description | 75 / 130 | 57.7% |
| HSTS | 70 / 130 | 53.8% |
| X-Frame-Options | 68 / 130 | 52.3% |
| Sitemap.xml | 67 / 130 | 51.5% |
| Canonical URL | 66 / 130 | 50.8% |
A few of these deserve comment.
Structured data is the silent killer
98.5% of stores don't emit proper JSON-LD for products. Google's product rich results — price, availability, star
ratings in the SERP — depend on it. Without it your listings render as a plain blue link next to competitors showing
stars and a €. In 2026 that's leaving free conversions on the table.
PrestaShop's default theme (classic) ships some microdata, but it's old schema.org syntax that Google increasingly
deprioritizes. Only 2 stores in the dataset had modern product-level JSON-LD we could parse.
Core Web Vitals are a massacre
95% of stores fail LCP and FCP. Median PageSpeed performance is 48/100, and 53% of stores score below 50. Causes
we see repeatedly:
- Unoptimized hero images (no
<picture>, no WebP, no explicit dimensions → layout shift) - Blocking third-party scripts in
<head>(chat widgets, analytics, Cookiebot) - PrestaShop's combine-compress-cache toggle turned off in Performance settings
- No HTTP/2 server push or preload hints
None of these are hard to fix. Most of them take 30 minutes. Yet they're universal.
CSP is missing everywhere
74.6% of stores serve zero Content-Security-Policy. That's the one header that blocks script injection even if your
admin gets compromised. It takes one line in .htaccess:
Header set Content-Security-Policy "default-src 'self' https:; script-src 'self' 'unsafe-inline' https:; object-src
'none'"
Start in report-only mode, watch the console for a week, tighten, deploy. Two hours of work, full mitigation.
The chatbot gap
80.8% of stores have no chat at all. Of the 11.5% that do, most ship Zendesk Chat or Tawk.to — support tools,
not commerce assistants. Only a handful ship actual AI product advisors. (We build one of these, so take the
observation with the appropriate grain of salt, but the raw number is what it is.)
What's actually installed: the module leaderboard
Across 130 stores, these were the most commonly detected PrestaShop modules:
- Google Sitemap — 85 installs
- Share Buttons — 70
- Email Subscription — 68
- PrestaShop Checkout (the official payment aggregator) — 55
- PayPal — 54
- PS Google Analytics — 46
- Stripe — 24
- Brevo (formerly Sendinblue) — 23
- Klarna — 14
- Page Cache — 14
- Zendesk Chat — 13
- Mollie — 10
- Redsys — 9 (Spain-only, makes sense)
- Pretty URLs — 8
- Google Analytics (legacy) — 8
The tell: 85 stores have the Google Sitemap module installed. But only 63 actually serve a valid sitemap.xml.
Installing ≠ configuring.
Themes
Theme fragmentation is severe. Out of stores where we could identify the theme, the top 10 was:
-
classic— 11 (default) -
warehouse— 8 -
warehousechild— 5 -
classic-rocket— 4 -
ZOneTheme— 4 -
miin_ecco_bella— 4 -
sleedex-jdsports— 2 - Various custom one-offs — the rest
That's a lot of custom builds. Custom themes are also where Core Web Vitals regressions usually live (untested image
pipelines, inlined stylesheets, fonts loaded without display:swap). The data seems to agree.
What a merchant should actually do, in priority order
If you run a PrestaShop store and want to pick only three fixes:
- Fix LCP and FCP. Enable combine-compress-cache in Advanced Parameters → Performance. Switch hero image to WebP with explicit width/height. Defer all non-critical JS. You'll typically gain 20–30 PageSpeed points in a single afternoon.
- Add Rich Snippets via a JSON-LD module (there are several free ones in Addons) or via a theme override. One hour of work, potentially meaningful SERP click-through lift within 2–4 weeks.
-
Add the security headers. Three lines in
.htaccessfor HSTS, X-Content-Type-Options, X-Frame-Options. Add CSP in report-only mode and iterate. One line each, done forever.
If you want the full list for your own store, it's free — scan it. No account
required.
Caveats
- 44 of 174 stores timed out, 403'd, or returned non-HTML to our scanner. Those are missing from the dataset. The real distribution is probably even skewed — stores with good perimeter defenses are overrepresented in the "unreachable" bucket.
- Some BuiltWith-listed stores actually run a non-PrestaShop frontend and proxy to a PS backend. Our scanner flags these as "not confirmed PrestaShop" (73.1% of our dataset confirms as PS; the rest might be running a WordPress/Next.js layer over a PS admin).
- Field performance data only exists for stores with enough Chrome UX Report traffic. Smaller shops fall back to lab data only.
Raw data
If you want to reproduce or extend: the scanner is at audit.smart-shop-ai.com. The
dataset files and analysis script live on the repo (private for now, will open-source the scoring once the baseline
stabilizes).
If you run a PrestaShop store and this post made you uncomfortable, that's the intended effect. Scan yours and fix the
top three. Two hours of work changes the score from 50 to 75.
This analysis was run on 2026-04-18 with SmartShop Audit. Methodology, dataset counts, and check definitions are
reproducible with a single curl against https://audit.smart-shop-ai.com/api/scan.
Top comments (0)